Mozilla discovered that Opera does not handle input to file form fieldsproperly, allowing scripts to manipulate the file path (CVE-2008-1080).Max Leonov found out that image comments might be treated as scripts,and run within the wrong security context (CVE-2008-1081). Arnaudreported that a wrong representation of DOM attribute values ofimported XML documents allows them to bypass sanitization filters(CVE-2008-1082).

Impact======

A remote attacker could entice a user to upload a file with a knownpath by entering text into a specially crafted form, to execute scriptsoutside intended security boundaries and conduct Cross-Site Scriptingattacks.

This GLSA and any updates to it are available for viewing atthe Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200803-09.xml

Concerns?=========

Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttp://bugs.gentoo.org.